Error DataBase-One Place all Solutions Forums Blog Glossary    Contact Us
Search  
   
Browse by Category
Error DataBase-One Place all Solutions
 Business Desktop Deployment (BDD) 2007
 Citrix
 DataBase
 Drivers
 Microsoft Exchange Server
 Mobile Junction
 Operating Systems
 Solaris Opearting System (OS)
 Windows Operating Systems
 MS DOS
 Windows 2000
 Windows 2003
 Windows Scripts and Batch Files
 Windows Server 2008
 Windows VISTA
 Windows XP
 Technical vocabulary
 Virtualization
 WebMaster
Error DataBase-One Place all Solutions .: Operating Systems .: Windows Operating Systems .: Windows 2003 .: How to configure Network Security for the SNMP Service in Windows 2003

How to configure Network Security for the SNMP Service in Windows 2003

SUMMARY

This step-by-step article describes how to configure network security for the Simple Network Management Protocol (SNMP) service in Windows Server 2003.

The SNMP service acts as an agent that collects information that can be reported to SNMP management stations or consoles. You can use the SNMP service to collect data and manage Windows Server 2003, Microsoft Windows XP, and Microsoft Windows 2000-based computers throughout a corporate network.

Communications between SNMP agents and SNMP management stations is typically secured by assigning a shared community name to the agents and management stations. When an SNMP management station sends a query to the SNMP service, the community name of the requestor is compared to the community name of the agent. If they match, the SNMP management station has been authenticated. If they do not match, the SNMP agent considers the request a "failed access" attempt, and may send an SNMP trap message.

The SNMP messages are sent in clear text. These clear text messages are easily intercepted and decoded by network analyzers, such as Microsoft Network Monitor. Community names can be captured and used by unauthorized personnel to gain valuable information about network resources.

IP Security Protocol (IPSec) can be used to protect SNMP communications. You can create IPSec policies to secure communications on TCP and UDP ports 161 and 162 to secure SNMP transactions.

Create a filter list

To create an IPSec policy to secure SNMP messages, first create the filter list. To do this, follow these steps:
1. Click Start, point to Administrative Tools, and then click Local Security Policy.
2. Expand Security Settings, right-click IP Security Policies on Local Computer, and then click Manage IP filter lists and filter actions.
3. Click the Manage IP Filter Lists tab, and then click Add.
4. In the IP Filter List dialog box, type SNMP Messages (161/162) in the Name box, and then type Filter for TCP and UDP ports 161 in the Description box.
5. Click to clear the Use Add Wizard check box, and then click Add.
6. In the Source address box on the Addresses tab of the IP Filter Properties dialog box that appears, click Any IP address. In the Destination address box, click My IP Address. Click to select the Mirrored. Match packets with the exact opposite source and destination addresses check box.
7. Click the Protocol tab. In the Select a protocol type box, click UDP. In the Set the IP protocol port box, click From this port, and then type 161 in the box. Click To this port, and then type 161 in the box.
8. Click OK.
9. In the IP Filter List dialog box, click Add.
10. In the Source address box on the Addresses tab of the IP Filter Properties dialog box that appears, click Any IP address. In the Destination address box, click My IP Address. Click to select the Mirrored. Match pockets with the exact opposite source and destination addresses check box.
11. Click the Protocol tab. In the Select a protocol type box, click TCP. In the Set the IP protocol box, click From this port, and then type 161 in the box. Click To this port, and then type 161 in the box.
12. Click OK.
13. In the IP Filter List dialog box, click Add.
14. In the Source address box on the Addresses tab of the IP Filter Properties dialog box that appears, click Any IP address. In the Destination address box, click My IP Address. Click to select the Mirrored. Match packets with the exact opposite source and destination addressess check box.
15. Click the Protocol tab. In the Select a protocol type box, click UDP. In the Set the IP protocol box, click From this port, and then type 162 in the box. Click To this port, and then type 162 in the box.
16. Click OK.
17. In the IP Filter List dialog box, click Add.
18. In the Source address box on the Addresses tab of the IP Filter Properties dialog box that appears, click Any IP address. In the Destination address box, click My IP Address. Click to select the Mirrored. Match packets with the exact opposite source and destination addressess check box.
19. Click the Protocol tab. In the Select a protocol type box, click TCP. In the Set the IP protocol box, click From this port, and then type 162 in the box. Click To this port, and then type 162 in the box.
20. Click OK.
21. Click OK in the IP Filter List dialog box, and then click OK in the Manage IP filters lists and filter actions dialog box.

Create an IPSec policy

To create the IPSec Policy to force IPSec for SNMP communications, follow these steps:
1. Right-click the IP Security Policies on Local Computer in the left pane, and then click Create IP Security Policy.

The IP Security Policy Wizard starts.
2. Click Next.
3. On the IP Security Policy Name page, type Secure SNMP in the Name box. In the Description box, type Force IPSec for SNMP Communications, and then click Next.
4. Click to clear the Activate the default response rule check box, and then click Next.
5. On the Completing the IP Security Policy Wizard page, verify that the Edit properties check box is selected, and then click Finish.
6. In the Secure SNMP Properties dialog box, click to clear the Use Add Wizard check box, and then click Add.
7. Click the IP Filter List tab, and then click SNMP Messages (161/162).
8. Click the Filter Action tab, and then click Require Security.
9. Click the Authentication Methods tab. Kerberos is the default authentication method. If you require alternate authentication methods, click Add. In the New Authentication Method Properties dialog box, select the authentication method that you want from the following list, and then click OK:
Active Directory default (Kerberos V5 protocol)
Use a certificate from the certification authority (CA)
Use this string (preshared key)
10. In the New Rule Properties dialog box, click Apply, and then click OK.
11. In the SNMP Properties dialog box, verify that the SNMP Messages (161/162) check box is selected, and then click OK.
12. In the right pane of the Local Security Settings console, right-click the Secure SNMP rule, and then click Assign.
Complete this procedure on all Windows-based computers that are running the SNMP service. This IPSec Policy must also be configured on the SNMP management station.
Article 2119
Created 7-3-2008
Author Lucki
Rating (None)

How helpful was this article to you?

Related Articles

article How To Configure Security for Files and Folders on a Network in Windows 2003
SUMMARY This step-by-step article...
(No rating)  6-30-2008    Views: 146   
article How To Configure Security for Files and Folders on a Network (Domain) in Windows 2000
SUMMARY This step-by-step guide...
(No rating)  2-18-2008    Views: 252   
article How To Configure Group Policies to Set Security for System Services in Windows 2003
SUMMARY When you implement security on...
(No rating)  6-30-2008    Views: 68   

User Comments

Add Comment
No comments have been posted.